Skip to content

Code security configurations are now generally available (GA)!

Code security configurations simplify the rollout of GitHub security products at scale. They help you define collections of security settings and apply them across groups of repositories.

Since the beta release on April 2, 2024, we’ve launched several improvements, including configuration enforcement and an API.

We have sunset the old organization-level code security settings UI experience along with the API parameters that complemented it.

All new changes to security settings must happen through the new code security configurations expereince. Organizations that were previously opted out of the experience have been opted back in. All default settings for new repositories have been migrated to a configuration called “Legacy” and automatically applied to new repos.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

When rolling out code scanning default setup at scale (e.g., via code security configurations), GitHub checks if an advanced CodeQL setup already exists for each repository. If an advanced setup exists, GitHub retains it and does not enable the default setup.

Starting today, it will be easier to understand if a repository will be converted during an at scale rollout.

Previously, GitHub would consider a repository to be using an advanced setup if the repository had ever had a CodeQL analysis. After this change, a repository is now considered as using an advanced CodeQL setup only if:

  • In the last 90 days, there has been a CodeQL analysis for the default branch, and
  • the workflow file associated with the latest CodeQL analysis in the default branch has not been deleted or disabled.

How does this affect me?

The improvements to the detection of existing CodeQL setups impacts you only if you are doing a rollout of code scanning at scale using (e.g.,) code security configurations and had previously used CodeQL via an advanced setup on some of your repositories.

If you are doing a rollout at scale, and want a repository to be considered for conversion to default setup, you can now delete or disable the associated yml file or you can delete the associated configurations for API-based advanced setups.

These changes will simplify enabling default setup at scale by increasing the number of repositories that are converted from advanced to default setup during an at scale rollout.

How do I convert my repo from advanced setup to default setup?

You can always enable default setup at the repository level. If there is a yml workflow file in the repository, GitHub will disable it for you. If you are doing API uploads, however, you need to adjust your CI/CD systems to stop submitting analyses. Note that while default setup is enabled, all CodeQL uploads via the API will be rejected.

How do I convert my repos from advanced setup to default setup at scale?

To convert multiple repos you have two options.
1. Use the default setup repository-level API, or
2. Use organization-level code security configurations to configure all the GHAS products in one go.

Note that repositories will be converted from default to advance only if they meet any of following criteria:

  • The latest CodeQL analysis on the default branch is older than 90 days old.
  • All CodeQL configurations have been deleted.
  • (Exclusively for yml-based advanced setups) The workflow file has been deleted or disabled.

Can I use an API to bulk disable advanced setups that use yml workflow files?

Yes. You can directly disable the associated workflow file by calling the Actions endpoint via the REST API. To do so, you will need to know the name of the workflow file. The name of the workflow file can be found in the code scanning /analyses endpoint.

See more

Code security configurations will be made generally available (GA) on July 10th, 2024. At that point, we will sunset the organization-level code security settings UI experience along with the API parameters that complemented it.

If you are currently using the Update an organization REST API endpoint to set default security settings for new repositories, or the Get an organization REST API endpoint to retrieve current defaults for security settings on new repositories, those parameters will now be ignored. The parameters will be removed entirely in the next version of the REST API.

Your previous default settings in your organization have been saved to a code security configuration called “Legacy” and will continue to apply. To change the default security settings for new repositories, use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more